Interesting phenomenom with Windows Server 2008 R2 user access controls and NTFS ACLs
Posted
by
Simon Catlin
on Server Fault
See other posts from Server Fault
or by Simon Catlin
Published on 2012-09-04T20:50:59Z
Indexed on
2012/09/04
21:40 UTC
Read the original article
Hit count: 275
One to try, and I'd appreciate any thoughts on this.
On a Windows Server 2008 R2 box (or presumably 2008 R1, Windows Vista or Windows 7):
i) Logon as an administrator, and create a new NTFS volume
ii) Blow away the standard MS ACLS on the root of the volume (which are laughable), and replace with Administrators:Full Control, System:Full Control, e.g.:
echo Y|cacls.exe d:\ /g "Administrators:F" "SYSTEM:F"
iii) Now, from a Command Prompt shell window or PowerShell window, switch to that drive (cd /d D:\ or set-location D:\ ). Works fine... no issues.
iv) Now, try to browse to the root of the new volume using MS Explorer... Access denied.
Now, I've kind of convinced myself that it is UAC getting in the way, as you can add "Authenticated Users:List" access to D:\ and Explorer then works. I can only assume that MS Explorer isn't able to use the "admin" token for the Administrator. Browsing to explorer.exe and doing a "Run as administrator" has no effect.
Any thoughts?
Cheers in advance.
© Server Fault or respective owner